Meta Description: Accidentally pushed your .env file to GitHub? Learn how to permanently purge secrets from your Git history using git filter-repo and BFG Repo-Cleaner, plus how to rotate exposed API keys safely.
Late-night commit. One quick git push. And suddenly your Supabase keys, database password, or Stripe secret token are sitting in plain text on a public GitHub repository — visible to anyone, forever (or so it seems).
If this just happened to you, take a breath. It's one of the most common mistakes in software development, and it's completely fixable. This guide walks you through why it happens, how to permanently scrub the secret from your Git history, and the one step almost every tutorial forgets to mention.
Table of Contents
Why Adding .env to .gitignore Doesn't Fix It







